[Video Course] HashiCorp Certified Vault Associate
English | MP4 | AVC 1280×720 | AAC 44KHz 2ch | 6h 38m | 1.71 GB
https://www.debian.org/distrib/netinst
https://github.com/daveprowse/vac-course
UI не заработал.
// Vault UI is not available in this binary
$ http://127.0.0.1:8200/ui/
Поэтому в docker
https://hub.docker.com/r/hashicorp/vault
$ docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:8200", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}' -p 8200:8200 hashicorp/vault server
Lab02
$ vault server -dev
$ export VAULT_ADDR='http://127.0.0.1:8200'
$ vault status
$ curl http://127.0.0.1:8200/v1/sys/init
$ vault kv put -mount=secret color-A red=1
$ vault kv get -mount=secret color-A
$ vault kv put -mount=secret color-B orange=2
$ vault kv list secret/
$ vault kv delete -mount=secret color-A
$ vault kv get -mount=secret color-A
$ vault kv undelete -mount=secret -versions=1 color-A
$ vault kv get -mount=secret color-A
// Vault UI is not available in this binary
$ http://127.0.0.1:8200/ui/
https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-ui
Lab 03
$ mkdir -p ~/vault/data
$ cd ~/vault/data
$ mkdir -p ~/vault/data
$ cd ~/vault/data
$ vi config.hcl
$ mkdir -p ./vault/data
ui = true
disable_mlock = true
storage "raft" {
path = "./vault/data"
node_id = "node1"
}
listener "tcp" {
address = "<your_IP_address>:8200"
tls_disable = "true"
}
api_addr = "http://<your_IP_address>:8200"
cluster_addr = "https://<your_IP_address>:8201"
$ vault server --config=config.hcl
$ export VAULT_ADDR='http://192.168.56.11:8200'
$ vault status
$ vault operator init
$ vault operator unseal
// root token
$ vault login
$ vault secrets list
$ vault secrets enable kv
$ vault secrets list
$ vault kv put -mount=kv solar_system planet1=mercury
$ vault kv list kv
$ vault kv get -mount=kv solar_system
$ vault operator seal
Lab 04
$ vault operator init
$ vault operator unseal
$ vault operator unseal
$ vault operator unseal
$ vault auth enable userpass
$ vault auth list
$ vault auth disable userpass
$ vault auth enable -path=local_logins -description="Local Username Authentication" userpass
$ vault auth disable local_logins
$ vault auth enable userpass
$ vault write auth/userpass/users/test_user password=test123
$ vault read auth/userpass/users/test_user
$ vault login -method=userpass \
username=test_user \
password=test123
// [OK!]
$ curl \
--request POST \
--data '{"password": "test123"}' \
http://192.168.56.11:8200/v1/auth/userpass/login/test_user | jq
Lab 05 - Vault Policies
$ vault read sys/policy/default
$ vault read sys/policy/root
$ vault read sys/policy/default >> default.hcl
$ vault server -dev
$ export VAULT_ADDR='http://127.0.0.1:8200'
$ export VAULT_TOKEN=<Root Token>
$ vault status
$ git clone https://github.com/daveprowse/vac-course
$ cd vac-course/lab-05/
$ vault policy write admin admin-policy.hcl
$ vault policy list
$ vault policy read admin
$ vault read sys/policy/admin
$ curl --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/sys/policies/acl/admin | jq
$ vault token create -policy=admin
ADMIN_TOKEN=$(vault token create -format=json -policy="admin" | jq -r ".auth.client_token")
$ echo ${ADMIN_TOKEN}
$ vault token lookup $ADMIN_TOKEN
$ vault token capabilities $ADMIN_TOKEN sys/auth/approle
$ vault token capabilities $ADMIN_TOKEN sys/auth
$ vault token capabilities $ADMIN_TOKEN auth/
Lab 06 - Vault Token
$ vault server -dev
$ export VAULT_ADDR='http://127.0.0.1:8200'
$ export VAULT_TOKEN=<ROOT_TOKEN>
$ vault token create
$ vault token revoke <CREATED_TOKEN>
$ vault token create -ttl=1h -use-limit=3 -policy=default
$ export LIMITED_TOKEN=<CREATED_TOKEN_ID>
$ vault token lookup $LIMITED_TOKEN
$ VAULT_TOKEN=$LIMITED_TOKEN vault token lookup
$ VAULT_TOKEN=$LIMITED_TOKEN vault token lookup
$ VAULT_TOKEN=$LIMITED_TOKEN vault token lookup
$ vault token lookup $LIMITED_TOKEN
$ vault token create -ttl=1h -policy=default
$ vault token renew <CREATED_TOKEN_ID>
$ vault token lookup <CREATED_TOKEN_ID>
$ vault list auth/token/accessors
$ vault token revoke <CREATED_TOKEN_ID>
$ vault list auth/token/accessors
$ vault token revoke ${ROOT_TOKEN}
Lab 07 - Vault Leases
AWS не особо сейчас актуален.